Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Nonce seems to be static - recommanded conf is dangerous for static website generators #121

Open
5 of 9 tasks
quadristan opened this issue Mar 22, 2024 · 1 comment
Open
5 of 9 tasks

Nonce seems to be static - recommanded conf is dangerous for static website generators #121

quadristan opened this issue Mar 22, 2024 · 1 comment

Comments

@quadristan
Copy link

quadristan commented Mar 22, 2024
edited
Loading

Description

Trying to use this plugin within a static website is opening security holes by default.
For example if we follow #53, it will add static nonces on a static website.

I would recommend to disable nonces by default, and let the user enable them on when they know that they wont pack a static website

What type of issue is this? (place an x in one of the [ ])

  • bug
  • enhancement (feature request)
  • question
  • documentation related
  • testing related
  • discussion

Requirements (place an x in each of the [ ])

  • I've read and understood the Contributing guidelines and have done my best effort to follow them.
  • I've read and agree to the Code of Conduct.
  • I've searched for any related issues and avoided creating a duplicate issue.

Bug Report

Filling out the following details about bugs will help us solve your issue sooner.

Reproducible in:

slackhq/csp-html-webpack-plugin version: 5.1.0

Steps to reproduce:

  1. create static website, such with as npx create-react-app my-app --template typescript
  2. Install and wire the plugin npm install react-app-rewired csp-html-webpack-plugin --save-dev
  3. Configure webpack overrides in config-overrides.js
const CspHtmlWebpackPlugin = require("csp-html-webpack-plugin");

module.exports = function override(config, env) {
  config.plugins.push(
    new CspHtmlWebpackPlugin({
      "script-src": "",
      "style-src": "",
    })
  );
  return config;
};
  1. Build with react-app-rewired build
  2. Check build/index.html file

Expected result:

Nonces are not static. At the very least, they should be generated by an inline script and injected

Actual result:

Static nonces are generated.
Uploading this to a CDN will allow anyone to grab the nunce and re-use it, bypassing the CSP

  <meta http-equiv="Content-Security-Policy"
    content="base-uri 'self'; object-src 'none'; script-src 'nonce-csu9vwLV51tCaN6biAAJFg=='; style-src 'nonce-vAVCeRTmI/cROWHcZcycQA=='">
@LoganKells
Copy link

I've used webpack to programmatically generate nonce values during each build.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@LoganKells @quadristan